Data Processing Addendum

Status: Version 1.1 effective 2026-05-14. These revisions are an internal editorial pass intended to make the document complete and accurate. The text remains under outside-counsel review. Material legal positions (entity definition, liability cap carve-outs, AI Article 22 disclosures, Transfer Impact Assessment) are flagged for counsel and may change before final publication.

Customer is data controller (or processor acting for its own controller). QEHS is data processor for Customer Data, and sub-processor for any onward processors Customer engages.

This DPA forms part of the Terms of Service or the Master Services Agreement between the parties and applies to QEHS's processing of Customer Data on Customer's behalf.

QEHS processes Customer Data only on documented instructions from Customer: (a) to provide the Service in accordance with the Terms of Service or MSA, (b) to comply with applicable law (with notice to Customer unless the law prohibits such notice), or (c) as expressly authorised in writing.

If QEHS believes an instruction infringes applicable data-protection law, it will inform Customer promptly and may decline to perform that instruction.

The Article 28(3) mandatory written content is set out in Annex I below. The categories of data subjects, types of personal data (including any special-category data), purpose and duration of processing, and the subject matter of processing are populated in Annex I and incorporated into this DPA by reference.

The current list of sub-processors is set out in Annex III below and published at qehsethos.com/trust/subprocessors. The published list is updated promptly when new sub-processors are engaged or existing sub-processors are removed.

QEHS gives Customer at least 30 days' prior notice (by email to the Customer billing contact and by an update to the published list) before engaging a new sub-processor. Customer may object on reasonable data-protection grounds within 15 days of notice. If the parties cannot resolve the objection within 30 days, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund of prepaid unused fees.

QEHS imposes data-protection obligations on each sub-processor that are no less protective than those imposed on QEHS under this DPA and remains liable to Customer for sub-processor performance.

At launch, Customer Data is hosted in the United States. Transfers from the European Economic Area, Switzerland, or the United Kingdom to QEHS or its sub-processors in the United States or any third country rely on: (a) the EU Standard Contractual Clauses (2021/914) Module Two (controller to processor) and, where applicable, Module Three (processor to sub-processor), and (b) the UK International Data Transfer Addendum to the EU SCCs, both of which are incorporated by reference into this DPA.

A Transfer Impact Assessment covering transfers to the United States is in preparation. Until completed and published, transfers proceed on the basis of the Standard Contractual Clauses alone. The completed assessment will be published in the Trust Center.

Where Customer is itself the data exporter and QEHS the data importer, Customer's acceptance of this DPA constitutes execution of the SCCs and the UK Addendum on behalf of Customer.

QEHS implements appropriate technical and organisational measures to protect Customer Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The specific measures in place are set out in Annex II below.

QEHS will not materially reduce the level of protection during the term of the subscription.

Customer may audit QEHS's compliance with this DPA once per calendar year with at least 30 days' written notice, during normal business hours, and subject to reasonable confidentiality undertakings. Audits must be conducted in a manner that does not unreasonably disrupt QEHS's operations or compromise the security of other customers.

QEHS is working toward SOC 2 Type 1 attestation. Once obtained, QEHS will make the attestation report available to Customer under NDA in lieu of an on-site audit at Customer's election, subject to mutual agreement. No other third-party attestations are currently held; this section will be updated to reflect additional certifications as and when they are obtained.

Beyond the once-per-year audit right, Customer may request additional audits only where required by a supervisory authority following a security incident or where mandated by law.

QEHS will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a personal data breach affecting Customer Data. The notice will describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach.

QEHS will cooperate with Customer's investigation and notification obligations under applicable law and will provide such further information as Customer reasonably requires to discharge its own breach-notification obligations.

QEHS will assist Customer in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection, opposition to automated decisions). QEHS provides self-service tools where reasonably possible (export, deletion, search by data subject identifier).

Where the request cannot be fulfilled through self-service, QEHS will respond to Customer's reasonable assistance requests within the timelines required by applicable law, at no additional charge for routine assistance. Disproportionate or excessive requests may be subject to a reasonable charge.

QEHS will provide reasonable assistance to Customer in carrying out data protection impact assessments and any prior consultation with supervisory authorities, where required under Articles 35 and 36 GDPR or equivalent provisions in other applicable data-protection law.

On termination of the Service, QEHS will, at Customer's election: (a) make Customer Data available for export for 30 days after termination, then securely delete; or (b) securely return Customer Data to Customer in a structured, commonly-used, machine-readable format and securely delete after confirmation of receipt.

In either case, all Customer Data will be deleted from active systems within 90 days of termination and from backups within 30 days thereafter, except where QEHS is required by applicable law to retain a specific record. Where retention is required by law, QEHS will notify Customer of the obligation and will continue to apply the security measures in Annex II to the retained data.

For Customers subject to the California Consumer Privacy Act / California Privacy Rights Act (CCPA / CPRA), QEHS attests that: (a) QEHS is a "service provider" as defined in CCPA Section 1798.140(ag); (b) QEHS will not sell or share Customer Data within the meaning of CCPA; (c) QEHS will not retain, use, or disclose Customer Data for any purpose other than the business purpose specified in the Terms of Service or MSA; (d) QEHS will not retain, use, or disclose Customer Data outside the direct business relationship between QEHS and Customer; and (e) QEHS will not combine Customer Data with personal information that QEHS receives from any other source, except as permitted by CCPA.

Where the Digital Personal Data Protection Act 2023 applies to Customer's processing of personal data of data principals in India, QEHS acts as a "data processor" within the meaning of that Act. The obligations of this DPA are intended to satisfy the corresponding processor obligations under the DPDP Act, subject to any later guidance from the Data Protection Board of India.

Customer may issue a written legal-hold notice to legal@qehsethos.com identifying specific Customer Data subject to litigation or regulatory preservation obligations. On receipt of a valid legal-hold notice, QEHS will suspend automated deletion of the identified data for the duration of the hold.

If QEHS receives a subpoena, court order, or regulator request for Customer Data, QEHS will, unless legally prohibited, promptly notify Customer so that Customer may seek a protective order or other appropriate remedy. QEHS will produce only the minimum data legally required and only after exhausting reasonable objections.

QEHS ensures that personnel authorised to process Customer Data are bound by written confidentiality obligations or are under an appropriate statutory obligation of confidentiality. Access to Customer Data is limited to personnel who need it to deliver the Service.

Liability under this DPA is subject to the limitation-of-liability section of the Terms of Service or MSA, with the carve-outs identified there for data-protection obligations.

Data exporter: Customer, in its role as data controller (or as data processor acting for its own controller).

Data importer: QEHS, in its role as data processor for Customer Data.

Subject matter of processing: provision of the QEHS Service to Customer, including hosting, processing, storage, search, analysis, reporting, and communication of Customer Data.

Duration of processing: for the term of Customer's subscription plus the deletion / return window described in the Data deletion and return on termination section above.

Nature and purpose of processing: hosting, storage, retrieval, organisation, transmission, analysis, reporting, and deletion of Customer Data in the course of providing the Service and complying with applicable law.

Categories of data subjects: Customer's employees, contractors, agents, and other personnel; Customer's suppliers, contractors, and visitors to Customer's sites; any individual whose personal data Customer chooses to upload, submit, or generate in its tenant.

Categories of personal data: identification data (name, employee number, role), contact data (email, phone, address), employment data (department, location, supervisor), health and safety data relating to incidents, inspections, exposures, training, and medical monitoring (which may include special-category health data under Article 9 GDPR), authentication and access logs, audit-trail metadata, and any other category Customer chooses to include in its records.

Special-category data (Article 9 GDPR): where Customer uploads occupational health and safety records that include health information, those records are special-category data and Customer must ensure it has a valid Article 9 lawful basis for the processing.

Frequency of transfer: continuous, on a request-driven basis as Customer uses the Service.

Retention period: as set out in the Privacy Policy and the Data deletion and return on termination section of this DPA.

Encryption in transit: all customer-facing traffic to the Service is encrypted using TLS 1.2 or higher with certificates issued by a publicly trusted certificate authority (Let's Encrypt at launch).

Encryption at rest: sensitive secrets (SMTP credentials, encryption keys, API keys) are encrypted at rest using AES-256-GCM with keys managed by the QEHS encryption-keys subsystem. Backups are encrypted at rest.

Access control: access to production systems is restricted to authorised QEHS personnel with named accounts, multi-factor authentication, and least-privilege role assignments. Tenant data access by QEHS personnel is logged and reviewed.

Tenant isolation: customer data is logically isolated using row-level tenant-id scoping (via the QEHS withTenant query helper) and is not accessible across tenants.

Authentication: customer authentication uses Auth.js v5 with password hashing (bcrypt), optional multi-factor authentication, optional SAML / OIDC single sign-on for Enterprise customers, and optional SCIM-based user provisioning.

Audit logging: administrative actions are written to an immutable audit log (admin_audit table) and platform-level events to owner_audit_log. Customers can export audit-trail entries that affect their tenant.

Backup and recovery: encrypted backups are taken on a regular schedule with point-in-time recovery within a documented RPO. Backup restore drills are performed periodically.

Change management: code changes flow through a peer-reviewed pull-request workflow, automated CI tests, and a smoke-test gate on deploy. Database migrations are journal-checked before being applied.

Vulnerability management: dependencies are tracked and vulnerability scanning is run on a regular cadence. Penetration testing is planned in advance of public launch.

Incident response: a defined incident-response procedure governs detection, triage, notification (within 72 hours under this DPA), and remediation of personal data breaches.

Personnel: all personnel authorised to access Customer Data are subject to confidentiality obligations and complete privacy-and-security training before being granted access.

Sub-processor controls: each sub-processor is contractually bound to data-protection obligations no less protective than those in this DPA.

Note on current state: this list reflects QEHS's controls as of the effective date of this DPA. Specific implementation details (key-management provider, backup schedule, exact RPO/RTO numbers) may evolve; QEHS will not materially reduce the level of protection during the subscription term.

Stripe Payments Europe Ltd. and Stripe, Inc. — payment processing — Ireland and United States — billing data, payment-card metadata (card numbers themselves never reach QEHS systems).

Hostinger International Ltd. — virtual private server hosting and managed mailbox — European Union (Lithuania) and United States — all Customer Data hosted on the production database; transactional mailbox data.

Postmarkapp.com (ActiveCampaign LLC) — transactional email delivery — United States — email recipient address, subject, body, and delivery metadata for transactional messages sent by the Service on Customer's behalf.

Amazon Web Services, Inc. — object storage for file attachments — United States (with EU-region availability planned) — uploaded files, attachments, and exports.

Spaceship, Inc. — DNS registrar — United States — domain registration metadata only; no Customer Data is processed.

Self-hosted infrastructure not constituting separate sub-processors: SigNoz (observability), Chatwoot (customer support), and Cal.com (demo booking) are deployed and operated by QEHS on the same infrastructure as the production application and are not separate third-party data processors. They are listed here for transparency.

Planned future sub-processors (subject to the 30-day prior-notice mechanism above): Anthropic, PBC and OpenAI, Inc. or OpenAI Ireland Ltd. for AI features (Phase 10). The published list at qehsethos.com/trust/subprocessors will be updated with effective dates before any of these is engaged.